Separate IAP ACL per endpoint

[jer...@vroom.com]

tldr
service1.project.appspot - IAP allow gro...@ex.com
service2.project.appspot - IAP allow gro...@ex.com
service3.project.appspot - IAP off. Endpoints controlled

I have multiple GAE services in a single project that require separate access list in IAP. I have not tested multiple GLB endpoints to see if the same holds true but the requires would be the same for a GLB endpoint.

service1 & service2 are serving html/js/css and contain a light backend
service3 is a common api used by both service1 & service2

* Is this enough info?
* Is this possible?
* Am I using IAP incorrectly?

[Wesley Wong]

This seems reasonable.

You are using IAP to control access to the frontends service1 and service2. Then you are using service-to-service auth through Endpoints to control access from service1/service2 to service3.

[Jeremy Lorino]

Correct, but as far as I am aware service1 and service2 cannot have separate, non-overlapping ACLs in IAP.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-endpoints/rHresxs4oGw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/53385242-d7d3-45f5-bd9e-78284131082a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

- google is watching

[Wesley Wong]

That is correct. According to the documentation:

Cloud IAP works at the project level, so the list of users who have access (the "members") applies to all Cloud IAP-secured resources in a project.

Therefore, if you have both service1 and service2 in the same project, then the two lists must be the same. A way around this would be to have service1 and service2 in separate projects.